MPRI 2-30: ! Automated Verification of ! Cryptographic Protocol Implementations K Bhargavan (Slides from A.D. Gordon and C. Fournet) Spring, 2014
TLS Handshakes
''''''ClientHello''''''''''''''''''99999999>' ''''''''''''''''''''''''''''''''''''''''''''''''''''''ServerHello' '''''''''''''''''''''''''''''''''''''''''''''''''''''Certificate*' full%handshake% '''''''''''''''''''''''''''''''''''''''''''''''ServerKeyExchange*' ''''''''''''''''''''''''''''''''''''''''''''''CertificateRequest*' '''''''''''''''''''''''''''''''''''<99999999''''''ServerHelloDone' ''''''Certificate*' ''''''ClientKeyExchange' ''''''CertificateVerify*' ''''''[ChangeCipherSpec]' ''''''Finished'''''''''''''''''''''99999999>' '''''''''''''''''''''''''''''''''''''''''''''''[ChangeCipherSpec]' '''''''''''''''''''''''''''''''''''<99999999'''''''''''''Finished' ''''''Application'Data'''''''''''''<9999999>'''''Application'Data' abbreviated% ''''''ClientHello''''''''''''''''''99999999>' ''''''''''''''''''''''''''''''''''''''''''''''''''''''ServerHello' '''''''''''''''''''''''''''''''''''''''''''''''[ChangeCipherSpec]' '''''''''''''''''''''''''''''''''''<99999999'''''''''''''Finished' ''''''[ChangeCipherSpec]' ''''''Finished'''''''''''''''''''''99999999>' ''''''Application'Data'''''''''''''<9999999>'''''Application'Data'
The Handshake • Two linked sub-protocols – Negotiates protocol version, ! handshake method and algorithms, ! authenticated encryption method and algorithms – Authenticates peers from their certificates – Derives connection keys • Full handshake takes up to 3 rounds with 11 messages • Abbreviated handshake often possible
''''''ClientHello' ''''''' ' ''''''''''''99999999>' ''''''''''''''''''''''''''''''''''''''''''''''''''''''ServerHello' '''''''''''''''''''''''''''''''''''''''''''''''''''''Certificate*' Full%handshake% '''''''''''''''''''''''''''''''''''''''''''''''ServerKeyExchange*' ''''''''''''''''''''''''''''''''''''''''''''''CertificateRequest*' ''''''''''''''''''''''''''<99999999'''''''''''''''ServerHelloDone' ''''''Certificate*' ''''''ClientKeyExchange' ''''''CertificateVerify*' ''''''ChangeCipherSpec' ''''''Finished''''''''''''99999999>' '''''''''''''''''''''''''''''''''''''''''''''''''ChangeCipherSpec' ''''''''''''''''''''''''''<99999999''''''''''''''''''''''Finished' ''''''''''''''''''''''''''<9999999>''''''''''''''Application'Data' ''''''Application'Data' ' '
''''''ClientHello' Vmax$Cr$sId*$CSs$CMs$Cext '' ''''''' ' ''''''''''''99999999>' ''''''''''''''''''''''''''''''''''ServerHello' V$Sr$sId$CS$CM$Sext$ ' '''''''''''''''''''''''''''''''''''''''''''''''''''''Certificate*' Full%handshake% '''''''''''''''''''''''''''''''''''''''''''''''ServerKeyExchange*' ''''''''''''''''''''''''''''''''''''''''''''''CertificateRequest*' ''''''''''''''''''''''''''<99999999'''''''''''''''ServerHelloDone' ''''''Certificate*' ''''''ClientKeyExchange' ''''''CertificateVerify*' ''''''ChangeCipherSpec' ''''''Finished' MAC(Clog) ''99999999>' '''''''''''''''''''''''''''''''''''''''''''''''''ChangeCipherSpec' ''''''''''''''''''''''''''<99999999''''''''''''Finished' MAC(Slog) ' ''''''''''''''''''''''''''<9999999>''''''''''''''Application'Data' ''''''Application'Data' ' ''The'key'exchange'messages'are'used'to'compute'shared' ''pre9master9secret'(PMS)'then'master9secret'(MS)'for'the'session' ' ''The'MS'and'(Cr,Sr)'are'used'to'(1)'derive'fresh'connection'keys' ''and'(2)'authenticate'the'handshake'digests'in'Finished'messages''
Abbreviated%handshake% '''''ClientHello' Vmax$Cr$sId$CSs$CMs$Cext '' ' ' '''''''99999999>' ' '''''''''''''''''''''''''''''''''ServerHello' V$Sr$sId$CS$CM$Sext '' ''''''''''''''''''''''''''''''''''''''''''''''''ChangeCipherSpec'''''''''''''''' ''''''''''''''''''''''''''''<99999999'''''''''Finished' MAC(Slog) ' '''''ChangeCipherSpec' '''''Finished' MAC(Clog)$$ '''99999999>' '''''Application'Data'''''''<9999999>'''''''''''' ''''''''''''''''''''''''''''''''''''''''''''''''Application'Data' ' ' ' ''Provided'the'client'and'server'already'share'a'session'sId,' ''they'can'use'its'pre9established'master'secret'and'(Cr,'Sr)' ''to'derive'fresh'connection'keys.'' ' ''This'saves'one'round'trip'&'any'public9key'cryptography.' ' ''Otherwise'the'server'continues'with'a'full'handshake'' ''(picking'some'fresh'sId).''
''ClientHello'[ Cr ]''''''99999999>' '''''''''''''''''''''''''''''''''''''''''' 'ServerHello'[ Sr ]' ''''''''''''''''''''''Certificate'chain[ dk] '''''''' %RSA%full%handshake% '''''''''''''''''CertificateRequest*' <99999999''''''''''''''''ServerHelloDone' ''Certificate*' ''ClientKeyExchange[ {pms} _ek]'' ''CertificateVerify*[sig( Clog’ )]''' ''ChangeCipherSpec' ''Finished' MAC(Clog) ''''99999999>''''''' '''''''''''''''''''''''''''''''''''''''''ChangeCipherSpec' ''''''''''''''''''''<99999999'''' '''''''Finished' MAC(Slog) ' Application'Data''''''<9999999>'''''''''''''''Application'Data' ' ' ' ' The'client'samples'a'fresh'pms'(mostly)'at'random' ' Here'*'stands'for'“if'Client'auth”,'at'the'server'initiative' (prescribing'“for'signing”'as'X.509'attributes)'
''ClientHello'[ Cr ]'''''''''99999999>' '''''''''''''''''''''''''''''''''ServerHello[ Sr ]' ''''''''''''''''''''''Certificate'chain[ vk | fixed$p$g$g^y]$ %DHE%full%handshake% ServerKeyExchange' [ p$g$g^y 'sig(Cr'Sr'p'g'g^y)_vk]'''''''''''''''''' CertificateRequest*' [for'signing|fixed]' <99999999''''''''''''''''ServerHelloDone''''''' ''Certificate*'chain[for'signing|fixed'p'g' g^x ]' ''ClientKeyExchange'[fixed'?'empty':' g^x ']'' ''CertificateVerify*[sig(Clog’)]'' ''ChangeCipherSpec' ''Finished' MAC(Clog)$$$$$$$ 99999999>' '''''''''''''''''''''''''''''''''''''''''''''''ChangeCipherSpec' '''''''''''''''''''<99999999'''''''''''''Finished' MAC(Slog) '''''''' Application'Data'''''''''<9999999>'''''''''''''''Application'Data' ' ' ' E'stands'for'server9ephemeral;'client9ephemeral' ! '“for'signing”' Here'*'stands'for'“if'Client'auth”,'at'the'server'initiative'(prescribing'“for' signing”,'“fixed”,'or'both,'as'X.509'attributes)' …_DSA'and'…_RSA'only'affect'X.509'certs' EC…'should'only'affects'the'crypto'parameters'
Diffie-Hellman Key Exchange • A fundamental cryptographic algorithms [1976] '''''Alice' ' ' ' ''' ' ' ' 'Bob' agree'on'public'parameters:' p'prime,'g'generator'of'Z/pZ*,'q'='|Z/pZ*|' ' let'x'='sample'q ' ' ' ' ' 'let'y'='sample'q' let'X'='g x ' ' let'Y'='g y' ' ' ' ' ' ' ' exchange' ' ' ' ' ' ' ' ' ' ' ''X'&'Y' let'Z'='Y x'' ' let'Z'='X y'' ' ' ' ' ' ' ' now'sharing'Z'='g (x*y)' we'can'derive'keys'as'PRF(Z,…)'' • Secure against passive adversaries; ! otherwise we must authenticate X and Y • Many variants: STS, ISO, MQV, SIGMA • Many implementations: SSH, IPsec, Kerberos
Decisional Diffie-Hellman • The Decisional Diffie-Hellman assumption: ! the probability of distinguishing between the exponentials ! of a DH exchange and its idealized variant is negligible agree'on'public'parameters:' p'prime,'g'generator'of'Z/pZ*,'q'='|Z/pZ*| ' ' ''''''Concrete ' ' ' ' ' ' ''''''Ideal' ' let'x'='sample'q ' ' ' ' ' 'let'x'='sample'q' let'y'='sample'q ' ' ' ' ' 'let'y'='sample'q' ' ' ' ' ' ' ' ' ' 'let'z'='sample'q' ('g x ,'g y ,'g x*y' ) '('g x ,'g y ,'g z' ) ' ' ' ' ' ' ' • Application: ! let'GEN()'='' let'ENC'X'm'='' let'ENC*'X'm'='' El Gamal ! ''let'x'='sample'q' ''let'y'='sample'0..q' ''let'y'='sample'q' encryption ! ''(x,'g x )' ''(g y' ,'X y' *'m)'' ''let'z'='sample'q''' is CPA ' ' ''(g y' ,'g z' *'m)'' ' ' let'DEC'x'(Y,M)'='M/Y x ' ' '
The Handshake, ideally • Our interface abstracts over many details of the Handshake – Handshake messages and their formats – Certificate formats and public key infrastructure – Database of past sessions, available for abbreviated handshakes • A key index is safe safe when – Its ciphersuite is cryptographically strong; and – Its peer authentication materials are trustworthy ! e.g. the private key for the peer certificate ! is used only by compliant handshake sessions • For instances with safe indexes, the (typed) idealized handshake – Generates fresh abstract keys instead of calling the concrete KDF – Drops “Complete” notifications not preceded by a Finished ! with matching parameters sent by a compliant peer instance.
Recommend
More recommend
